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(54) Pseudorandom number generator 

(57) A pseudorandom number generator which has 
a relatively small number of pseudorandom number 
generating circuits such as linear feecfoack shift regis- 
ters and generates a sequence of pseudorandom num- 
bers with a high nonlinearity. The pseudorandom-num- 
ber generator is suitable for use in producing stream 
ciphers. The pseudorandom number generator is pro- 
vided with a combining function circuit for combining 
outputs from the pseudorandom number generating cir- 
cuits according to a nonlinear function, a shift register 
which operates in synchronism with a clock signal and 
storing an output from the combining function circuit at 
one end, and a nonlinear function circuit for nonlinearly 
combining predetermined bits of the stored bits of the 
shift register. A sequence of pseudorandom numbers 
can be obtained from the output of the nonlinear func- 
tion circuit. 
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Description 

The present invention relates to a pseudorandom 
number generator for generating pseudorandom num- 
bers. 

Communication systems and computer systems 
employ stream cipher apparatus or the like for convert- 
ing information into enciphered information by adding 
pseudorandom numbers to the information through an 
exclusive-OR operation and recovering original informa- 
tion by adding pseudorandom numbers to enciphered 
information through an exclusive-OR operation in order 
to prevent an unauthorized person from gaining an 
unlawful access to the information. 

Pseudorandom numbers used to encrypt informa- 
tion to prevent an unauthorized access to the informa- 
tion are required to be highly nonlinear. According to 
one widely used conventional process of generating 
pseudorandom numbers that are used for encryption, 
output signals from a plurality of pseudorandom number 
generating circuits are nonlinearly combined by a non- 
linear function called a combining function to generate 
pseudorandom numbers that are more highly nonlinear. 
The pseudorandom number generating circuit is a basic 
circuit, such as a linear feedback shift register or the 
like, for producing pseudorandom numbers. A pseudor- 
andom number generator includes one or more such 
pseudorandom number generating circuits and gener- 
ates pseudorandom numbers of higher no n linearity. 

A nonlinear combination is a combination which is 
not a linear combination. The linear combination of a 
plurality of bits x 1t .... x n , ... is to give a bit 
y = x 1 + x 2 + ... +x n or y = x 1 + x 2 + ... +x n + 1 , tor 
example, using only exclusive-OR operations V. A 
nonlinear combination of a plurality of bits x 1 , x n , ... is 
to give a bit y = x^x 2 + x 2 *x 3 + ... + x n *x 1 ,for exam- 
ple, using both AND operations and exclusive-OR 
operations V (may include a NOT operation), and will 
not be reduced to a linear combination no matter how 
an equation which gives the bit y may be modified. The 
nonlinearrty of a nonlinear combination is equivalent to 
the degree of an equation which gives the bit y. The 
greater the degree of an equation, the higher the nonlin- 
earity. As the number of inputs to a nonlinear function, 
i.e., the number of pseudorandom number generating 
circuits to be combined, is greater, rt is possible to 
achieve a nonlinear combination of higher nonlinearity. 

FIG. 1 is a functional block diagram of an example 
of a conventional pseudorandom number generator. As 
shown in FIG. 1. the conventional pseudorandom 
number generator comprises n pseudorandom number 
generating circuits 401 1 to 401 n where n is an integer of 
2 or higher, a combining function circuit 402 for nonline- 
arly combining outputs from the n pseudorandom 
number generating circuits 401 j to 401 n to produce a 
pseudorandom number from an output terminal 406, an 
input terminal 405 lor being supplied with a control 
pulse (a clock pulse), an input terminal 406 for mode 
control, and an input terminal 407 for parallelly inputting 



a bit sequence called an initial state. Each of the pseu- 
dorandom number generating circuits 401 j to 401 n is 
connected to the input terminals 405, 406 and 407. If a 
control pulse is inputted to the input terminal 405 while 

5 a signal "0" is being supplied to the input terminal 406, 
then each of the pseudorandom number generating cir- 
cuits 401 ! to 401 n reads the initial state supplied from 
the input terminal 407 and holds it as an internal state. 
Each time a control pulse is inputted to the input termi- 
te? nal 405 while a signal "1 " is being supplied to the input 
terminal 406. then each of the pseudorandom number 
generating circuits 401 j to 401 n outputs a pseudoran- 
dom number. Generally, the pseudorandom number 
generating circuits 401 j to 401 n are supplied with 

is respective different initial states. 

A pseudorandom number is generated by the pseu- 
dorandom number generator shown in FIG. 1 as fol- 
lows: First an initial state is supplied to the input 
terminal 407, then a signal "0* is supplied to the input 

20 terminal 406, and a control pulse is inputted to the input 
terminal 405. Then, a signal "1" is supplied to the input 
terminal 406. Subsequently, each time a control pulse is 
inputted to the input terminal 405, the combining func- 
tion circuit 402 nonlinearly combines the outputs from 

25 the pseudorandom number generating circuits 401 -j to 
401 n to generate a pseudorandom number, which is 
outputted from the output terminal 408. 

However, the conventional pseudorandom number 
generator is problematic in that the initial states set in 

so the respective pseudorandom number generating cir- 
cuits 401 t to 401 n may be estimated by a deciphering 
process known as a correlation attack, allowing 
encrypted information to be unlawfully deciphered. Spe- 
cifically, if a conditional probability distribution of an out- 

35 put from the combining function circuit 402 which is 
conditioned by an output from a certain pseudorandom 
number generating circuit 401 j (1 £ j £ n) is not uniform, 
then a pseudorandom number sequence generating cir- 
cuit equivalent to the pseudorandom number generating 

40 circuit 40 1j may be presumed, and an initial state of the 
pseudorandom number sequence generating circuit 
may be determined in order to maximize the con-elation 
between an output sequence of the pseudorandom 
number sequence generating circuit and an output 

45 sequence of the combining function circuit 402, for 
thereby recognizing an initial state given to the pseudor- 
andom number generating circuit 40 1j. Because of the 
above properties, the conventional pseudorandom 
number generator cannot be used as a pseudorandom 

so number generator for producing stream ciphers. The 
correlation attack is described in detail in "Analysis and 
Design of Stream Ciphers" written by R A. Rueppel, 
published by Springer- Verlag, 1996, pages 92 -141. 
In an attempt to prevent encrypted information from 

55 being decrypted by a correlation attack, the present 
inventor has proposed a pseudorandom numb r gener- 
ator which does not use a bit stream outputted by a 
combining function circuit, but a bit stream produced 
when an output from the combining function circuit is 
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convoluted, as a pseudorandom number, as disclosed 
in Japanese unexamined patent publication (Kokai) No. 
Hei 7-104976 (JP, A, 7-104976). Using a bit stream pro- 
duced when an output from the combining function cir- 
cuit ts convoluted as a pseudorandom number 
substantially uniformizes a conditional probability distri- 
bution of pseudorandom numbers which is conditioned 
by an output from a certain pseudorandom number gen- 
erating circuit, making it difficult to decipher encrypted 
information with a correlation attack. 

FIG. 2 shows in functional block form a conven- 
tional pseudorandom number generator which is 
designed to protect itself from a correlation attack. The 
pseudorandom number generator shown in FIG. 2 dif- 
fers from the pseudorandom number generator shown 
in FIG. 1 in that a shift register 410 and an exclusive-OR 
gate 411 are inserted between the combining function 
circuit 402 and the output terminal 408. The shift regis- 
ter 410 is also connected to the input terminals 405, 406 
and 407. rf a control pulse is inputted to the input termi- 
nal 405 while a signal "0" is being supplied to the input 
terminal 406, then the shift register 410 reads a bit 
sequence, called an initial state, supplied from the input 
terminal 407 and holds it as an internal state. Each time 
a control pulse is inputted to the input terminal 405 while 
a signal "1 " is being supplied to the input terminal 406, 
then the shift register 410 shifts the internal state one bit 
to the right and holds an output from the combining 
function circuit 402 at an left end bit therein. The exclu- 
sive-OR gate 411 calculates a linear combination of 
predetermined bits in the internal state of the shrft regis- 
ter 410, and the calculated linear combination is output- 
ted as a pseudorandom number from the output 
terminal 408. As indicated by the dotted line in FIG. 2, 
the output from the combining function circuit 402 may 
also be applied to the exclusive-OR gate 41 1 . 

For generating a pseudorandom number from the 
pseudorandom number generator shown in FIG. 2, an 
initial state is supplied to the input terminal 407, then a 
signal "0" is supplied to the input terminal 406, and a 
control pulse is inputted to the input terminal 405. Then, 
a signal "1 " is supplied to the input terminal 406. Subse- 
quently, each time a control pulse is inputted to the input 
terminal 405, a pseudorandom number is outputted 
from the output terminal 408. 

FIG. 3 shows an internal structure of the shrft regis- 
ter 410. The shrft register 410 has m stages, and 
includes a clock input terminal 415, a mode switching 
signal input terminal 416, an internal state input termi- 
nal 41 7 for establishing an internal state in the shift reg- 
ister 410, an internal state output terminal 418 for 
outputting the internal state of the shift register 410, a 
shrft input terminal 41 9, m selectors 421 to 421 m of 2- 
input for making selections in response to a signal input- 
ted to the mode switching signal input terminal 41 6, and 
m D-type ffip-flops 422! to 422 m . The D-type flip-flops 
422 1 to 422 m are clocked by a clock signal inputted to 
the clock input terminal 415. for receiving respective 
outputs from the selectors 421j to 42 1 m . An utput 



sequence from the D-type flip-flops 422-, to 422 m is 
referred to as an internal state of the shift register 410. 
Under the condition shown in FIG. 2, the clock input ter- 
minal 415 is connected to the input terminal 405, the 

5 mode switching signal input terminal 416 to the input 
terminal 406. the internal state input terminal 417 to the 
input terminal 407, and the shift input terminal 419 to 
the output terminal of the combining function circuit 402. 
The selector 421 1 on the left end in the shift register 

10 410 is supplied with an output from the combining func- 
tion circuit 402 (see FIG. 2) through the shift input termi- 
nal 419 and one bit of the internal state inputted from 
the internal state input terminal 417. Each of the other 
selectors 421j (j = 2 m) is supplied with an output 

is from a D-type flip-flop 421^ and an inherent bit in the 
internal state inputted from the internal state input ter- 
minal 417. When a signal "0" is supplied from the mode 
switching signal input terminal 416, the selectors 421 1 
to 421 m select and output respective bits supplied from 

20 the internal state input terminal 417. When a signal T 
is supplied from the mode switching signal input termi- 
nal 41 6, the selectors 421 ^ to 421 m select and output a 
signal from the shift input terminal 419 and signals from 
the preceding D-type flip-flops 422 1 to 422^. Each 

25 time a control pulse is supplied from the dock input ter- 
minal 415. the D-type flip-flops 422 1 to 422 m hold 
respective outputs from the selectors 421 ^ to 421 m . and 
output the held values. The outputs from the respective 
D-type flip-flops 422 i to 422 m are outputted as parallel 

30 m bits from the internal state output terminal 418, and 
some of the outputted bits are inputted to the exclusive- 
OR gate 411 (see FIG. 2). 

A structure of each of the pseudorandom number 
generating circuits 401 ^ to 401 n will be described below. 

35 Each of the pseudorandom number generating circuits 
401 ! to 401 n may be a pseudorandom number generat- 
ing circuit 501 which comprises only a linear feecfcack 
shift register as shown in FIG. 4 or a pseudorandom 
number generating circuit 51 1 which comprises a com- 

40 bination of a nonlinear function circuit and a linear feed- 
back shift register as shown in FIG. 5. Alternatively, 
each of the pseudorandom number generating circuits 
401 1 to 401 n may be of another different circuit arrange- 
ment. 

45 The pseudorandom number generating circuit 501 
which comprises only a linear feedback shift register as 
shown in FIG. 4 will be described below. As shown in 
FIG. 4, the pseudorandom number generating circuit 
501 comprises a shift register 502 and an exclusive-OR 

so gate 503. The shift register 502 is of a structure which is 
the same as the shift register 410 shown in FIG. 3 
though it may have a different number of stages. The 
shift register 502 has a clock input terminal, a mode 
switching signal input terminal, and an internal state 

55 input terminal connected respectiv lytoth input termi- 
nals 405, 406 and 407. Only predetermined bits of an 
output from the internal state output terminal of the shift 
register 502 are supplied to the exclusive-OR gate 503, 
which outputs its output signal to the output terminal 
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504 and also supplies its output signal to a shift input 
terminal to the shift register 502. The exclusive-OR gate 
503 serves to perform an exclusive-OR operation to the 
inputted bits and output the result of the exclusive-OR 
operation. The pseudorandom number generating cir- 5 
cuit 501 shown in FIG. 4 is a so-called M-sequence 
(maximum-length linearly recurring sequence) generat- 
ing circuit. Since the randomness of pseudorandom 
numbers generated only by the pseudorandom number 
generating circuit 501 is not so high and its initial state w 
can easily be estimated, the pseudorandom number 
generating circuit 501 alone is not suitable for generat- 
ing pseudorandom numbers for the purpose of encrypt- 
ing information. 

The pseudorandom number generating circuit 511 15 
shown in FIG. 5 comprises a shift register 512, an exclu- 
sive-OR gate 513, and a nonlinear function circuit 514. 
The shift register 51 2 is of a structure which is the same 
as the shift register 410 shown in FIG. 3 though it may 
have a different number of stages. The shift register 512 20 
has a clock input terminal, a mode switching signal input 
terminal, and an internal state input terminal connected 
respectively to the input terminals 405, 406 and 407. 
Only predetermined bits of an output from the internal 
state output terminal of the shift register 512 are sup- 25 
plied to the exclusive-OR gate 513, which supplies its 
output signal to a shift input terminal to the shift register 
512. The exclusive-OR gate 513 serves to perform an 
exclusive-OR operation to the inputted bits and output 
the result of the exclusive-OR operation. All or predeter- so 
mined bits of an output from the internal state output ter- 
minal of the shift register 512 are supplied to the 
nonlinear function circuit 514, and nonlinearly combined 
thereby. The nonlinear function circuit 514 outputs a 
nonlinearly combined signal as a pseudorandom 3s 
number through an output terminal 515. 

The combining function will be described below. 
The combining function serves to nonlinearly combine 
inputted bits and output a nonlinearly combined signal. 
A combining function circuit which outputs a combining 40 
function may be implemented by a logic function circuit, 
a read-only memory (ROM), or a combination thereof. 
FIG. 6 is a functional block diagram of a 3-input combin- 
ing function circuit 450. The combining function circuit 
450 can be used as the combining function circuit 402 in 45 
the pseudorandom number generator shown in FIG. 1 
or FIG. 2 where n = 3, i.e., the number of pseudorandom 
number generating circuits is 3. 

As shown in FIG. 6, the combining function circuit 
450 comprises an inverter 451 , a first and second 2- so 
input AND gates 452 and 453, a 2-input exclusive-OR 
gate 454, first, second, and third input terminals 455i to 
4553 for being supplied with pseudorandom numbers 
generated by respective different pseudorandom 
number generating circuits, and an output terminal 458 55 
connected to the output terminal of the exclusive-OR 
gate 454. The pseudorandom number inputted to the 
first input terminal 455t is supplied to an input terminal 
of the first AND gate 452, and the pseudorandom 



number inputted to the second input terminal 455 2 is 
supplied to the other input terminal of the first AND gate 
452 and the inverter 451. The second AND gate 453 is 
supplied with the pseudorandom number inputted to the 
third input terminal 455 3 and the pseudorandom 
number inputted to the second input terminal 4552, 
which has been inverted by the inverter 451. The first 
and second AND gates 452 and 453 perform AND oper- 
ations to the inputs thereto and output the result signals 
of the AND operations to the exclusive-OR gate 454. 
The exclusive-OR gate 454 performs an exclusive-OR 
operation to the outputs of the first and second AND 
gates 452 and 453 and outputs the result signal of the 
exclusive-OR operation signal through the output termi- 
nal 458. 

The conventional pseudorandom number genera- 
tors which have been described above in detail suffer 
drawbacks in that H they have a reduced circuit scale, 
then they can generate only pseudorandom numbers 
which have low nonlinearity, and if they are to generate 
pseudorandom numbers that are highly nonlinear they 
are required to be of an increased circuit scale. Specifi- 
cally, if the circuit scale of a pseudorandom number 
generator is to be reduced, then it is effective to use 
pseudorandom number generating circuits comprising 
only a linear feedback shift register. In such a circuit 
arrangement, however, only the combining function cir- 
cuit carries out a nonlinear conversion, and hence fails 
to produce pseudorandom numbers which are highly 
nonlinear. If the number of pseudorandom number gen- 
erating circuits is reduced to reduce the overall circuit 
scale, then since the number of inputs to the combining 
function is also reduced, the nonlinearity of the combin- 
ing function is reduced, with the result that the pseudor- 
andom number generator will generate pseudorandom 
numbers with low nonlinearity. Conversely, if the nonlin- 
earity of generated pseudorandom numbers is to be 
increased, then it is effective to use a combination of a 
nonlinear function circuit and a linear feedback shift reg- 
ister as a pseudorandom number generating circuit. 
However, such a circuit arrangement requires nonlinear 
function circuits to be composed of as many complex 
logic circuits or read-only memories as the number of 
pseudorandom number generating circuits used, nec- 
essarily resulting in an increased circuit scale. Increas- 
ing the number of inputs to the combining function for 
the purpose of increasing the nonlinearity of pseudoran- 
dom numbers has to be accompanied by a correspond- 
ing increase in the number of pseudorandom number 
generating circuits. 

ft is therefore an object of the present invention to 
provide a pseudorandom number generator which will 
eliminate the foregoing shortcomings of the conven- 
tional pseudorandom number generators, and is capa- 
ble of generating a sequence of pseudorandom 
numbers which are highly nonlinear with a relatively 
small number of pseudorandom number generating cir- 
cuits each comprising only a linear feedback shift regis- 
ter, so that the pseudorandom number generator is 
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suitable tor use in producing stream ciphers. 

According to the present invention, the above 
object can be achieved by a pseudorandom number 
generator having a pseudorandom number generating 
circuit operable in synchronism with a clock signal and a s 
shift register for shifting stored bits one bit at a time in a 
direction from one end to the other end thereof in syn- 
chronism with the clock signal and storing a signal 
based on at least an output from the pseudorandom 
number generating circuit at the one end. wherein the io 
pseudorandom number generator includes a nonlinear 
function circuit for nonlinearly combining predetermined 
bits of the stored bits of the shift register and outputting 
a nonlinearly combined signal, and the nonlinear func- 
tion circuit outputs a pseudorandom number in synchro- is 
nism with the clock signal. 

In the conventional pseudorandom number genera- 
tor shown in FIG. 2, an output sequence from the com- 
bining function circuit 402 is held by the shift register 
410, and all or predetermined bits of the internal state of 20 
the shift register 41 0 are linearly combined by the exclu- 
sive-OR gate 411 thereby generating a pseudorandom 
number. With this arrangement, since a conditional 
probability distribution of pseudorandom numbers 
which is conditioned by an output from a certain pseu- 25 
dorandom number generating circuit 401j (1 £ j £ n) is 
made substantially uniform, a correlation attack is diffi- 
cult to carry out. Such a scheme has been used over a 
long period of time also for the purpose of uniforming 
a distribution of random numbers, e.g., random nunrv 30 
bers determined by casting dice, which are generated 
by a physical method. Consequently, a linear combina- 
tion has been considered to be effective to prevent a 
correlation attack. 

However, a conditional probability is uniformized by 35 
a linear combination not based on the linearity of the lin- 
ear combination, but based on the uniformity of the lin- 
ear combination. The term "uniformity" means that "0"s 
and "1 "s are produced with substantially the same prob- 
ability by combining randomly given bits. Therefore, it 40 
should be able to prevent a correlation attack with a 
nonlinear combination, rather than a linear combination, 
insofar as the nonlinear combination is uniform. 

According to the present invention, a nonlinear 
function circuit for nonlinearly combining predetermined 45 
bits of the stored bits of a shift register is used in place 
of the exclusive-OR gate in the conventional pseudoran- 
dom number generator shown in FIG. 2, and the prede- 
termined bits of an internal stage of the shift register, 
which is supplied with an output from a combining tunc- so 
tion circuit, are nonlinearly combined by the nonlinear 
function circuit. Then, a nonlinearly combined signal 
from the nonlinear function circuit is outputted as a 
pseudorandom number. This arrangement allows the 
pseudorandom number generator to generate highly ss 
nonlinear pseudorandom numbers while maintaining its 
ability to prevent a correlation attack. According to the 
present invention, furthermore, an exclusive-OR gate 
may be inserted between the combining function circuit 



and the shift register for supplying the shift register with 
a signal that is produced by exclusive-OR operation 
between outputs from th nonlinear function circuit and 
the combining function circuit. In this manner, the output 
from the nonlinear function circuit is fed back to the shift 
register. Even if the nonlinearity of a nonlinear combina- 
tion performed by the nonlinear function circuit is low, a 
repetition of conversions with a low nonlinearity is 
reduced to a conversion with a high nonlinearity as indi- 
cated by an example of the square of x becoming x 2 , the 
square of x 2 becoming x 4 , and the square of x 4 becom- 
ing x 8 . It is thus possible for the pseudorandom number 
generator to generate pseudorandom numbers of 
higher nonlinearity. 

The above and other objects, features, and advan- 
tages of the present invention will become apparent 
from the following description with reference to the 
accompanying drawings which illustrate examples of 
the present invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a functional block diagram of an example 
of conventional pseudorandom number generator; 
FIG. 2 is a functional block diagram of an example 
of a conventional pseudorandom number generator 
which is designed to protect itself from a correlation 
attack; 

FIG. 3 is a block diagram of a shift register in the 
conventional pseudorandom number generator 
shown in FIG. 2; 

FIG. 4 is a functional block diagram of a pseudoran- 
dom number generating circuit comprising a linear 
feedback shift register; 

FIG. 5 is a functional block diagram of a pseudoran- 
dom number generating circuit comprising a nonlin- 
ear function circuit and a linear feedback shift 
register; 

FIG. 6 is a block diagram of a 3-input combining 
function circuit; 

FIG. 7 is a functional block diagram of a pseudoran- 
dom number generator according to a first embodi- 
ment of the present invention; 
FIG. 8 is a block diagram of an example of a nonlin- 
ear function circuit; 

FIG. 9 is a block diagram of another example of a 
nonlinear function circuit; 

FIG. 10 is a functional block diagram of a pseudor- 
andom number generator according to a second 
embodiment of the present invention; and 
FIG. 1 1 is a functional block diagram of a pseudor- 
andom number generator according to a third 
embodiment of the present invention. 



5 



BNSOOCtD; <EP 0782069A1_L> 



9 



EP 0 782 069 A1 



10 



DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

First Embodiment 

As shown in FIG. 7, a pseudorandom number gen- 
erator according to a first embodiment o1 the present 
invention comprises n pseudorandom number generat- 
ing circuits 101-| to 101 n where n is an integer of 2 or 
higher, a combining function circuit 102 tor nonlinearly 
combining outputs from the n pseudorandom number 
generating circuits 101 1 to 101 n and outputting a nonlin- 
early combined signal, a shift register 103 which 
receives the output from the combining function circuit 
102 as a shift input thereto, a nonlinear function circuit 

104 for calculating a nonlinear combination of predeter- 
mined bits of an internal state of the shift register 103 or 
all stored bits of the shift register 103, an input terminal 

105 for being supplied with a control pulse (a clock 
pulse), an input terminal 106 for mode control, and an 
input terminal 107 for inputting a bit sequence called an 
initial state. In the pseudorandom number generator, 
the result calculated by the nonlinear function circuit 
1 04 is outputted as a bit stream representing a pseudor- 
andom number from an output terminal 108 in synchro- 
nism with a clock signal supplied to the input terminal 
105. As indicated by the dotted line in FIG. 7, the output 
from the combining function circuit 102 may also be 
applied to nonlinear function circuit 104. 

Each of the pseudorandom number generating cir- 
cuits 101-1 to 101 n is connected to the input terminals 
105, 106 and 107. If a control pulse is inputted to the 
input terminal 105 while a signal "0" is being supplied to 
the input terminal 106, then each of the pseudorandom 
number generating circuits 101 j to 101 n reads an initial 
state supplied from the input terminal 107 and holds it 
as an internal state. Each time a control pulse is input- 
ted to the input terminal 105 while a signal "1" is being 
supplied to the input terminal 106, then each of the 
pseudorandom number generating circuits 101 j to 101 n 
outputs a pseudorandom number. Each of the pseudor- 
andom number generating circuits 1 01 -j to 101 n may 
preferably be a pseudorandom number generating cir- 
cuit comprising only a linear feedback shift register as 
shown in FIG. 4. The shift register 103 is also connected 
to the input terminals 105, 106 and 107. If a control 
pulse is inputted to the input terminal 105 while a signal 
"0" is being supplied to the input terminal 106. then the 
shift register 103 holds a bit sequence called an initial 
state supplied from the input terminal 1 07 as an internal 
state. Each time a control pulse is inputted to the input 
terminal 105 while a signal T is being supplied to the 
input terminal 106, then the shift register 103 shifts the 
internal state one bit to the right and holds an output 
from the combining function circuit 102 at an left end bit 
therein. The shift register 103 may be of the structure 
shown in FIG. 3. 

The pseudorandom number generating circuits 
101 1 to 101 n , the combining function circuit 102, and the 



input terminals 1 05, 1 06 and 1 07 of the present embod- 
iment correspond respectively to the pseudorandom 
number generating circuits 40^ to 401 n , the combining 
function circuit 402, and the input terminals 405, 406 
5 and 407 provided in the conventional pseudorandom 
number generator shown in FIGS. 1 and 2. The shift 
register 1 03 corresponds to the shift register 410 shown 
in FIG. 2. 

The combining function circuit 102 and the nonlin- 
w ear function circuit 104 are called differently according 
to the terminology in the art. However, they are similar 
to each other in that they perform a nonlinear combining 
of inputs applied thereto, though they sometimes differ 
from each other with respect to the number of inputs 
is applied thereto and the internal structure. 

The nonlinear function circuit 104 may comprise 
any of various optional circuits insofar as they perform a 
uniform nonlinear combining of inputs applied thereto. 
For example, the nonlinear function circuit 104 may 
comprise a look-up table stored in a read-only memory 
(ROM). Specifically, as shown in FIG. 8, equal numbers 
of "O's and "1"s are written in a ROM 151 , and a plurality 
of inputs to the nonlinear function circuit 104 are 
regarded as inputs to a plurality of address input termi- 
nals of the ROM 151 for outputting 1-bit data from the 
ROM 151 as an output from the nonlinear function cir- 
cuit 104. 

If the number of inputs to the nonlinear function cir- 
cuit 104, i.e., the number of inputs to ROM 151, 
increases beyond the number of address input termi- 
nals of the ROM 1 51 , then the nonlinear function circuit 
104 cannot be implemented by a single ROM. In such a 
case, as shown in FIG. 9, the nonlinear function circuit 
104 may comprise a plurality of ROMs 151 described 
above and an exclusive-OR gate 152. Outputs from the 
ROMs 151 may be inputted to the exclusive-OR gate 
1 52, and an output from the exdusive-OR gate 1 52 may 
be regarded as an output from the nonlinear function 
circuit 104. 

In general, the pseudorandom number generating 
circuits 101 1 to 101 n and the shift register 103 are sup- 
plied with (Afferent initial states through the input termi- 
nal 107. Since each of the initial states supplied to the 
pseudorandom number generating circuits 101 1 to 101 n 
and the shift register 103 is represented by a plurality of 
bits depending on its internal bit width, the bit width of 
the input terminal 107 may be made equal to a total of 
the internal bit widths of the pseudorandom number 
generating circuits 101 to 101 n and the shift register 
103. Alternatively, the pseudorandom number generat- 
ing circuits 101-, to 101 n and the shift register 103 may 
be controlled independently to set them to respective 
internal states. In the illustrated embodiment, an initial 
state setting circuit 1 10 is connected to the input termi- 
nal 107 to generate initial states for the pseudorandom 
number generating circuits 101 j to 101 n and the shift 
register 103 for thereby establishing bit sequences of 
initial states in the pseudorandom number generating 
circuits 101! to 101 n and the shift register 103. 
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For generating a pseudorandom number with the 
pseudorandom number generator according to the 
present invention, initial states for the pseudorandom 
number generating circuits 101 j to 101 n and the shift 
regist r 1 03 are supplied from the initial state setting cir- $ 
cuit 110 to the input terminal 107. Then, a signal "0" is 
supplied to the input terminal 1 06, and a control pulse is 
inputted to the input terminal 105. As a result, the initial 
states are established respectively in the pseudoran- 
dom number generating circuits 101 1 to 101 n and the w 
shift register 103. Thereafter, a signal T is supplied to 
the input terminal 106. Subsequently, each time a con- 
trol pulse is inputted to the input terminal 105, one bit of 
a pseudorandom number is produced from the output 
terminal 1 08. /5 

The pseudorandom number generator according to 
the present invention employs a nonlinear function cir- 
cuit for performing a uniform nonlinear combination, 
rather than a linear combining circuit in order to uni- 
formize a conditional probability distribution of pseudor- 20 
andom numbers which is conditioned by an output from 
a certain pseudorandom number generating circuit. 
Therefore, pseudorandom numbers generated by the 
pseudorandom number generator are highly nonlinear, 
and hence are highly resistant to a correlation attack 25 
and suitable for use in producing stream ciphers. Even 
if each of the pseudorandom number generating circuits 
comprises a simple linear feedback shift register, the 
pseudorandom number generator can generate highly 
nonlinear pseudorandom numbers. Consequently, the 30 
pseudorandom number generator according to the 
present embodiment can generate highly nonlinear 
pseudorandom numbers with a circuit arrangement of a 
relatively small scale at a low cost. 

35 

Second Embodiment: 

FIG. 10 shows a pseudorandom number generator 
according to a second embodiment of the present 
invention. As shown in FIG. 10. the pseudorandom 40 
number generator according to the second embodiment 
differs from the pseudorandom number generator 
according to the first embodiment in that an exclusive- 
OR gate 1 1 1 is inserted between the combining func- 
tion circuit 102 and the shift register 103 to supply an 45 
output from the exclusive-OR gate 111. rather than an 
output from the combining function circuit 102, to the 
shift input terminal of the shift register 103. The exclu- 
sive-OR gate 1 1 1 performs an exclusive-OR operation 
between outputs from the combining function circuit 1 02 so 
and the nonlinear function circuit 104, and outputs the 
result of the exclusive-OR operation. In the pseudoran- 
dom number generator according to the second embod- 
iment because the output from the nonlinear function 
circuit 104 is fed back to the shift register 103 through ss 
the exclusive-OR gate 11 1. a highly nonlinear pseudor- 
andom number can be produced from the output termi- 
nal 1 08 even if the nonlinearity of the nonlinear function 
circuit 104 is tow. Therefor , th nonlinear function cir- 



cuit 104 may be of a reduced circuit scale. The pseudor- 
andom number generator according to the second 
embodiment produces a pseudorandom number in the 
same manner as the pseudorandom number generator 
according to th first embodiment. 

Third Embodiment: 

In each of the first and second embodiments, the 
nonlinearity of the pseudorandom number generator is 
increased by the nonlinear function circuit 104 con- 
nected to the output terminal 108. Particularly, in the 
second embodiment in which the output from the nonlin- 
ear function circuit 104 is fed back to the shift register 
103, the pseudorandom number generator may be able 
to generate pseudorandom numbers which are suffi- 
ciently highly nonlinear even if it has one pseudorandom 
number generating circuit. According to a third embodi- 
ment shown in FIG. 1 1, a pseudorandom number gen- 
erator has a single pseudorandom number generating 
circuit 101 . Since only one pseudorandom number gen- 
erating circuit 101 is used, no combining function circuit 
is required, and an output from the pseudorandom 
number generating circuit 101 is inputted directly to the 
exclusive-OR gate 111. Other structural details and 
operation of the pseudorandom number generator 
according to the third embodiment are identical to those 
of the pseudorandom number generator according to 
the second embodiment. 

It is to be understood that although the characteris- 
tics and advantages of the present invention have been 
set forth in the foregoing description, the disclosure is 
illustrative only and changes may be made in the 
arrangement of the parts within the scope of the 
appended claims. 

Claims 

1 . A pseudorandom number generator having a pseu- 
dorandom number generating circuit operable in 
synchronism with a clock signal and a shift register 
for shifting stored bits one bit at a time in a direction 
from one end to the other end thereof in synchro- 
nism with the clock signal and storing a signal 
based on at least an output from the pseudorandom 
number generating circuit at said one end. wherein 

the pseudorandom number generator 
includes a nonlinear function circuit for nonlinearly 
combining predetermined bits of the stored bits of 
the shift register and outputting a nonlinearly com- 
bined signal; and 

said nonlinear function circuit outputs a 
pseudorandom number in synchronism with the 
clock signal. 

2. A pseudorandom number generator according to 
claim 1 , wherein said pseudorandom number gen- 
erating circuit is a linear feedback shift register. 



7 



BNSDOCID <EP 0782069A1_I_> 



EP 0 782 069 A1 



14 



13 

3. A pseudorandom number generator according to 
claim 1 or 2, wherein said nonlinear function circuit 
comprises a read-only memory storing a look-up 
table containing equal numbers of "0"s and Ts 
written in said read-only memory, and said prede- 5 
termined bits of the stored bits of the shift register 
are given as an address to said read-only memory. 

4. A pseudorandom number generator comprising: 

10 

a plurality of pseudorandom number generat- 
ing circuits which operates synchronously with 
each other in response to a clock signal; 
a containing function circuit for combining out- 
puts from said pseudorandom number generat* 15 
ing circuits according to a nonlinear function 
and outputting a first combined signal; 
a shift register for shifting stored bits one bit at 
a time in a direction from one end to the other 
end thereof in synchronism with the clock sig- 20 
nal and storing an output from said combining 
function circuit at said one end; and 
a nonlinear function circuit for nonlinearly com- 
bining predetermined bits of the stored bits of 
the shift register and outputting a second com- 25 
bined signal; wherein 

said nonlinear function circuit outputs a 
pseudorandom number in synchronism with the 
clock signal. 30 

5. A pseudorandom number generator comprising: 

a plurality of pseudorandom number generat- 
ing circuits which operate synchronously with 35 
each other in response to a clock signal; 
a combining function circuit for combining out- 
puts from said pseudorandom number generat- 
ing circuits according to a nonlinear function 
and outputting a first combined signal; 40 
a shift register for storing bits; 
a nonlinear function circuit for nonlinearly com- 
bining predetermined bits off the stored bits of 
the shift register and outputting a second com- 
bined signal; and 45 
an exctusive-OR gate for performing an exclu- 
sive-OR operation between the first combined 
signal and the second combined signal, and 
outputting a result signal of the exctusive-OR 
operation; wherein so 

said shift register shifts the stored bits one 
bit at a time in a direction from one end to the other 
end thereof in synchronism with the clock signal 
and stores an output from said exclusive-OR gate 55 
at said one end; and 

said nonlinear function circuit outputs a 
pseudorandom number in synchronism with the 
clock signal. 



6. A pseudorandom number generator according to 
claim 4 or 5, wherein said nonlinear function circuit 
comprises means for nonlinearly combining said 
predetermined bits uniformly. 

7. A pseudorandom number generator according to 
any of claims 4 to 6. wherein the first combined sig- 
nal is inputted to said nonlinear function circuit, and 
said nonlinear function circuit nonlinearly combines 
predetermined bits of the stored bits of the shift reg- 
ister and the first combined signal, and outputs the 
second combined signal. 

8. A pseudorandom number generator according to 
any of claims 4 to 7, wherein said nonlinear function 
circuit comprises a read-only memory storing a 
look-up table containing equal numbers of "O' s and 
"1 M s written in said read-only memory, and said pre- 
determined bits of the stored bits of the shift regis- 
ter are given as an address to said read-only 
memory. 

9. A pseudorandom number generator according to 
any of claims 4 to 8. wherein each of said pseudor- 
andom number generating circuits is a linear feed- 
back shift register. 

10. A pseudorandom number generator according to 
any of claims 4 to 9, further comprising an initial 
value setting circuit for establishing initial values in 
said pseudorandom number generating circuits and 
said shift register. 

1 1 . A pseudorandom number generator comprising: 

a single pseudorandom number generating cir- 
cuit which operates in synchronism with a clock 
signal; 

a shift register for storing bits; 
a nonlinear function circuit for nonlinearly com- 
bining predetermined bits of the stored bits of 
the shift register and outputting a nonlinearly 
combined signal; and 

an exclusive-OR gate for performing an exclu- 
sive-OR operation between an output of said 
pseudorandom number generating circuit and 
the nonlinearly combined signal outputted from 
said nonlinear function circuit, and outputting a 
result signal of the exctusive-OR operation; 
wherein 

said shift register shifts the stored bits one 
bit at a time in a direction from one end to the other 
end thereof in synchronism with the clock signal 
and stores an output from said exclusive-OR gate 
at said one end; and 

said nonlinear function circuit outputs a 
pseudorandom number in synchronism with the 
clock signal. 
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12. A pseudorandom number generator according to 
claim 11, wherein said nonlinear function circuit 
comprises means for nonlinearly combining said 
predetermined bits uniformly. 

5 

13. A pseudorandom number generator according to 
claim 11 or 12, wherein said nonlinear function cir- 
cuit comprises a read-only memory storing a look- 
up table containing equal numbers of "0"s and *1 "s 
written in said read-only memory, and said prede- io 
termined bits of the stored bits of the shift register 
are given as an address to said read-only memory. 

14. A pseudorandom number generator according to 
any of claims 1 1 to 13, wherein said pseudorandom is 
number generating circuit is a linear feedback shift 
register. 

15. A pseudorandom number generator according to 
any of claims 1 1 to 14, further comprising an initial 20 
value setting circuit for establishing initial values in 
said pseudorandom number generating circuit and 
said shift register. 
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